Email Security Considerations for Google Workspace Users

Google’s Email Security Strengths

With a huge user base to protect, Google Workspace continues to improve its built-in email security all the time. But threat actors are increasing the sophistication of their attacks too.

Using public-domain literature from Google and insights from the experience of GreatHorn’s operations teams, we look at how Google Workspace protects your enterprise from email-related risks and attacks.

Let’s start with its strengths. Google’s native capabilities are known to be effective for a number of basic hygiene capabilities, like:

• Blocking emails from known bad senders
• Scanning attachments with antivirus
• Blocking emails with known bad URLS
• Performing content analysis to identify SPAM

Overall, known bads (senders, links, or attachments) will be quarantined, preventing users from engaging with these risky emails. By default, all emails will be scanned for spam (anonymous, unsolicited messages sent in bulk), which increases business productivity and reduces the volume of daily nuisance emails that contribute to inbox fatigue, lowering users’ capacity to spot true risks.

Room for Improvement

Threat actors continue to target Google’s email users. In fact, Google was one of the top 7 brands for attackers to spoof in 2022.

Here are some areas where there’s room for improvement to ensure you have the best protection against business email compromise (BEC).

• Sophisticated anomaly detection
• Credential harvesting attacks
• Account takeover detection

While Google has strong baseline capabilities for handling known bads, it hasn’t fared as well against more sophisticated attacks. In our blog, we shared an example of a Google impersonation attack that bypassed Google’s own native controls. With impersonation and account takeover attacks on the rise via BEC, many organizations will want to consider additional email security to protect your enterprise from email-related risks and attacks.

Additional Security Considerations

With Google handling static threats well, organizations should be considering solutions that allow for dynamic policies, specific to phishing and other threats and requirements, to close that gap.

Integrated cloud email security (ICES) solutions that connect to cloud-native email platforms using APIs to examine emails are fast becoming the industry standard. Providing defense in depth through a variety of advanced detection techniques, user education, and streamlined search and remediation capabilities to contain the impact of compromised internal accounts, ICES solutions augment Google’s native email security for more robust risk mitigation.

Key Capabilities

• Artificial Intelligence (AI) and Machine Learning (ML)

  AI and ML, along with natural language understanding (NLU) and natural language processing (NLP), enhance your ability to identify and address attack types that operate in the gray area, outside of what typical threat intelligence can detect. These technologies can be used to perform relationship analysis, pair with machine vision to inspect destination sites in real time, evaluate communication patterns and styles, and identify other anomalous characteristics that simple matching against known bads fails to reveal.

• User Education

  Arming end users with the contextual information they need to make the most informed decisions can greatly reduce risk. ICES solutions commonly utilize custom banners to offer guidance directly oriented toward the potential risk the user is interacting with. Less commonly, they may provide mailbox intelligence, alerts that help users understand who it is they are communicating with, if they or their colleagues have ever spoken to the sender in question before, and if there are any notable risk areas included with the message they are reading. Account takeover protection is a key protection against BEC, used to actually validate the identity of a sender using biometric authentication, reducing exposure from any compromised account.

• Streamlined Search and Remediation

  Since sophisticated attacks can take many forms and often lack the sender and/or subject line consistency of more simplistic volumetric phishing campaigns, having a robust search engine that enables you to search against any combination of factors from relatively simple content-based keyword searches to more technical metadata is beneficial in acting quickly to remediate. Incident response to perform bulk removal of threats from user inboxes is another important capability, especially for larger organizations.

Google Workspace’s built-in email security features provide strong protection against static, known bads. But “Unknown Bad” attacks are delivered daily by social engineering, malware, malicious links, vendor and executive impersonation, BEC, phishing, supply chain, advanced malware, and combinations of these.

To optimize the performance of your email-related risk function, complementary capabilities gained from ICES solutions provide defense in depth, dynamically engaging additional layers of content analysis, user education, and remediation capabilities. ICES solutions do not offer uniform functionality, so invest wisely in comprehensive protection, while minimizing overlaps, overhead, and redundant spend.